This Data Protection Addendum ("Addendum") between WOAS Technology Pvt. Ltd. ("WOAS") and the Customer (as defined in the Master Services Agreement) is an addendum to and forms part of the WOAS Technology Pvt. Ltd. Terms of Service set forth at https://www.wooqer.com/terms/ (or successor URL), as supplemented by any order form, statement of work, or other agreement entered into between the Customer and WOAS Technology Pvt. Ltd. governing the Customer's access to and use of the WOAS Technology Pvt. Ltd. services (collectively, the "Agreement").
Customer enters into this Addendum on behalf of itself and any Affiliates authorised to use the Services under the Agreement (and who have not entered into a separate contractual arrangement with WOAS Technology Pvt. Ltd.). For the purposes of this Addendum only, and except where otherwise indicated, references to "Customer" shall include Customer and such Affiliates.
The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
1. Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- "Affiliate" means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with either Customer or WOAS Technology Pvt. Ltd., where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- "Customer Personal Data" means any Personal Data provided by or made available to WOAS Technology Pvt. Ltd. or processed by WOAS Technology Pvt. Ltd. on behalf of Customer in connection with the management and provision of the Services through, or in connection with, the Services pursuant to the Agreement.
- "Controller to Processor Clauses" means the standard contractual clauses for the cross-border transfer of personal data from controllers in the European Union to processors established outside the European Union, as approved by the European Commission in Decision 2021/914 (or any subsequent version thereof published by the European Commission).
- "Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law, the UK Data Protection Law, the Digital Personal Data Protection Act, 2023 of India, the California Consumer Privacy Act and any other applicable national data protection laws.
- "EU Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, in each case as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
- "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Commission Decision 2021/914.
- "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- "UK Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case as amended, superseded or replaced from time to time.
- "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as further defined under applicable Data Protection Laws.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
- "Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
- "Services" means the services to be supplied by WOAS Technology Pvt. Ltd. to Customer or Customer's Affiliates pursuant to the Agreement.
- "Third Country" means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority including, but not limited to, the European Commission and other regulatory authorities of competent jurisdiction.
- "Controller", "Business Purpose", "commercial purpose", "Contractor", "Personal Data Breach", "Processor", "Process", "Sell", "Service Provider", "Share", "Sub-processor", and "Supervisory Authority" shall have the meanings given to them under applicable Data Protection Laws; the term "Process" includes its cognate terms.
Capitalised terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.
2. Roles of the Parties
The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Customer is the Controller and WOAS Technology Pvt. Ltd. is a Processor and shall engage Sub-processors pursuant to the requirements set out in this Addendum.
3. Description and Purpose of Personal Data Processing
Annex I to this Addendum sets out the Parties and the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Customer for which the Customer Personal Data is Processed.
The purpose of Processing under this Addendum is the provision of the Services pursuant to the Agreement and any Order Form(s).
4. Data Processing Terms
4.1 Customer Instructions
Customer shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data. In connection with its access to and use of the Services, Customer shall Process Customer Personal Data only in accordance with the requirements of Data Protection Laws and any other applicable laws. Customer shall be solely responsible for complying with all applicable Data Protection Laws with respect to the collection of Customer Personal Data, the means by which Customer acquired the Customer Personal Data and the instructions it provides to WOAS Technology Pvt. Ltd. regarding the Processing of such Customer Personal Data. Customer shall ensure that its processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws.
4.2 WOAS Technology Pvt. Ltd. Processing of Customer Personal Data
- WOAS Technology Pvt. Ltd. shall, and shall ensure that its personnel engaged in the Processing of Customer Personal Data shall, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Agreement: Process Customer Personal Data in accordance with Customer's instructions, including with regards to transfers of Customer Personal Data outside the European Economic Area or to an international organisation, unless required to do so by applicable laws to which WOAS Technology Pvt. Ltd. is subject; in such a case, WOAS Technology Pvt. Ltd. shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
- WOAS Technology Pvt. Ltd. shall treat all Customer Personal Data as strictly confidential and shall ensure that any persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- WOAS Technology Pvt. Ltd. shall, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to the Customer with the fulfilment of the Customer's obligation to respond to requests from data subjects exercising their rights under applicable Data Protection Laws.
- WOAS Technology Pvt. Ltd. shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by WOAS Technology Pvt. Ltd.
- WOAS Technology Pvt. Ltd. shall, at Customer's option, delete or return all Customer Personal Data to Customer after the end of the provision of Services, and delete existing copies, unless storage is required by applicable law.
- WOAS Technology Pvt. Ltd. shall make available to Customer information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to the audit terms set out in this Addendum.
- WOAS Technology Pvt. Ltd. shall immediately inform Customer if, in WOAS Technology Pvt. Ltd.'s opinion, an instruction infringes applicable Data Protection Laws.
4.3 Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, WOAS Technology Pvt. Ltd. shall, in relation to Customer Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex II.
4.4 Sub-processing
- Customer provides general authorisation to WOAS Technology Pvt. Ltd. to engage Sub-processors to Process Customer Personal Data. WOAS Technology Pvt. Ltd. maintains a current list of Sub-processors in Annex III. WOAS Technology Pvt. Ltd. shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors, giving Customer the opportunity to object to such changes.
- Where WOAS Technology Pvt. Ltd. engages a Sub-processor, it shall do so by way of a written contract that imposes on the Sub-processor, in substance, the same data protection obligations as those imposed on WOAS Technology Pvt. Ltd. under this Addendum. WOAS Technology Pvt. Ltd. shall remain fully liable to the Customer for the performance of the Sub-processor's obligations.
4.5 Personal Data Breach Notification
WOAS Technology Pvt. Ltd. shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow it to meet any obligations to report or inform data subjects or Supervisory Authorities of the Personal Data Breach under Data Protection Laws.
4.6 Audits
WOAS Technology Pvt. Ltd. shall, upon reasonable prior written notice, make available to Customer information reasonably necessary to demonstrate compliance with this Addendum, and allow for and contribute to audits, including inspections, conducted by Customer or another independent third-party auditor mandated by Customer. Such audits will be limited to once per calendar year (unless required by a Supervisory Authority or following a Personal Data Breach), conducted during business hours, and subject to reasonable confidentiality obligations.
5. Restricted Transfers
The Parties agree that when the transfer of Customer Personal Data from Customer (as the Controller) to WOAS Technology Pvt. Ltd. (as the Processor) is a Restricted Transfer and Data Protection Laws require that appropriate safeguards be put in place, the transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this Addendum, as follows:
- In relation to transfers of Customer Personal Data protected by the EU GDPR and processed in a Third Country, the EU SCCs (Module Two: Controller to Processor) shall apply, completed as follows:
- Module Two will apply (controller to processor transfers).
- In Clause 7, the optional docking clause will apply.
- In Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in this Addendum.
- In Clause 11, the optional language will not apply.
- In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law.
- In Clause 18(b), disputes shall be resolved before the courts of Ireland.
- Annex I.A (List of Parties) is set out in Annex I to this Addendum.
- Annex I.B (Description of Transfer) is set out in Annex I to this Addendum.
- Annex I.C (Competent Supervisory Authority) is set out in Annex I to this Addendum.
- Annex II (Technical and Organisational Security Measures) is set out in Annex II to this Addendum.
- Annex III (List of Sub-processors) is set out in Annex III to this Addendum.
- In relation to transfers of Customer Personal Data protected by the UK GDPR, the EU SCCs as completed above will apply, as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018, which shall be deemed entered into and incorporated by reference.
6. Procedures
The provisions of this Addendum are supplemental to the provisions of the Agreement. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum shall prevail. In the event that any provision of this Addendum is held to be unenforceable, the Parties agree to substitute such provisions with valid and enforceable provisions which achieve the original commercial objective of the unenforceable provision to the extent permitted by law.
7. Indemnity
To the extent permissible by law, Customer shall indemnify and hold harmless WOAS Technology Pvt. Ltd. against all claims, actions, third-party claims, losses, damages and expenses incurred by WOAS Technology Pvt. Ltd. and arising directly or indirectly out of, or in connection with, a breach of this Addendum and/or Data Protection Laws by Customer. WOAS Technology Pvt. Ltd. shall indemnify and hold harmless Customer against all claims, actions, third-party claims, losses, damages and expenses arising directly out of, or in connection with, a breach of this Addendum and/or Data Protection Laws by WOAS Technology Pvt. Ltd. (subject to any limitations of liability set out in the Agreement).
8. Severability
The Parties agree that, if any section or sub-section of this Addendum is held by any court of competent jurisdiction to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section or sub-section of this Addendum.
9. Miscellaneous
The Addendum considers the following and follows:
- Privacy by design and default.
- Accountability and security of Processing.
- Notification of Breaches involving Customer Personal Data to the Customer in accordance with applicable laws.
- Conducting Privacy Impact Assessment where appropriate and as required by applicable Data Protection Laws.
- Assurance of WOAS Technology Pvt. Ltd.'s assistance to the Customer in observation of the rights of the Data Subjects.
- WOAS Technology Pvt. Ltd. shall comply with any other lawful regulatory requirements, ISO 27001:2013, ISO 27701:2019 and SOC 2 / SOC 3 requirements.
- In the event a Data Subject wishes to exercise its data subject rights under applicable Data Protection Laws, including but not limited to a data subject's rights of access to erasure or restriction of Processing of Personal Data, WOAS Technology Pvt. Ltd. shall assist the Customer in fulfilling its obligation to respond to such requests under applicable Data Protection Laws.
- In the event of the Customer's intent to act upon Personal Data of any of the Data Subjects, the same shall be done by contacting the Data Protection Officer at:
Name: Niranjan Sukumaran
Email ID: niranjan.s@wooqer.com
- There are no Temporary Files generated during Processing.
Annex I — Description of Processing Activities for Customer Personal Data
This Annex includes certain details of the Processing of Customer Personal Data by WOAS Technology Pvt. Ltd. in connection with the Services.
1. List of Parties
Data Exporter
| Name | Customer (as defined in the Agreement) |
|---|
| Address | As set forth in the relevant Order Form |
|---|
| Contact person's name, position and contact details | As set forth in the relevant Order Form |
|---|
| Activities relevant to the data transferred under these Clauses | Recipient of the Services provided by WOAS Technology Pvt. Ltd. in accordance with the Agreement |
|---|
| Signature and date | Signature and date are set out in the Agreement |
|---|
| Role (controller/processor) | Controller |
|---|
Data Importer
| Name | WOAS Technology Pvt. Ltd. |
|---|
| Address | 3rd Floor, #1090, 18th Cross, HSR Layout Sector 3, Bangalore, KA, 560102, India |
|---|
| Contact person's name, position and contact details | Niranjan Sukumaran, Data Protection Officer, niranjan.s@wooqer.com |
|---|
| Activities relevant to the data transferred under these Clauses | Provision of the Services to the Customer in accordance with the Agreement |
|---|
| Signature and date | Signature and date are set out in the Agreement |
|---|
| Role (controller/processor) | Processor |
|---|
2. Competent Supervisory Authority
Identify the competent Supervisory Authority/ies in accordance with Clause 13 of the EU SCCs (e.g. in accordance with Clause 13 of the EU SCCs): As determined by application of Clause 13 of the EU SCCs.
3. Processing Information
| Categories of data subjects whose personal data is transferred | Customer's authorised users of the Services |
|---|
| Categories of personal data transferred | Personal data submitted by the Services, including: name, email IDs, role, location, organisation, designation, mobile number, IP address, device identifiers, login/usage metadata |
|---|
| Sensitive personal data transferred | None |
|---|
| Frequency of the transfer | Continuous |
|---|
| Nature of the processing | The nature of the processing is more fully described in the Agreement and accompanying order forms; in summary, hosting, storage, transmission, retrieval, deletion and other operations necessary to provide the Services. |
|---|
| Purpose of the data transfer and further processing | The purpose of the transfer is to facilitate the performance of the Services. Other purposes are described in the Agreement and accompanying order forms. |
|---|
| Period for which the personal data will be retained | Customer Personal Data is processed for the duration of the Agreement, subject to the provisions of this Addendum. |
|---|
| For processing involving (Sub-)processors, please also specify the subject matter, nature and duration of the processing | As set out in Annex III (Sub-processors). |
|---|
Annex II — Technical and Organisational Security Measures
Description of the technical and organisational security measures implemented by WOAS Technology Pvt. Ltd. (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.
1. Security
1.1 Security Management System
- Organisation — WOAS Technology Pvt. Ltd. designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the information security program.
- Policies — Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data. These policies are updated at least once annually.
- Assessments — WOAS Technology Pvt. Ltd. engages a reputable independent third-party to perform risk assessments of its systems containing Customer Personal Data at least once annually.
- Risk Treatment — WOAS Technology Pvt. Ltd. maintains a formal and effective risk treatment program that includes periodic reviews and updates to identify, prioritise and protect against threats to the security, integrity or confidentiality of Customer Personal Data.
- Vendor Management — WOAS Technology Pvt. Ltd. maintains an effective vendor management program designed to evaluate vendors and ensure adequate protection of Customer Personal Data.
- Incident Response — WOAS Technology Pvt. Ltd. reviews security incidents regularly, including effective identification and root cause analysis of such incidents.
- Insurance — WOAS Technology Pvt. Ltd. has an effective insurance management program designed to evaluate insurance coverage and ensure adequate protection in the event of a security incident.
1.2 Personnel Security
- Personnel — WOAS Technology Pvt. Ltd. personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
- Personnel Agreements — WOAS Technology Pvt. Ltd. conducts reasonably appropriate background checks on its employees who will have access to Customer Personal Data, where permitted by applicable laws.
- Training — WOAS Technology Pvt. Ltd. requires its personnel to execute a confidentiality agreement and to complete confidentiality and security training when first hired and at regular intervals thereafter.
1.3 Access Controls
- Access Management — WOAS Technology Pvt. Ltd. maintains a formal access management process for the request, review, and approval of account privileges. Access requires unique credentials and is granted based on the principle of least privilege.
- Authentication — Strong authentication (including multi-factor authentication where appropriate) is required for personnel with access to systems Processing Customer Personal Data.
- Infrastructure Security Personnel — WOAS Technology Pvt. Ltd. has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel.
1.4 Internet Data Access and Privilege Management
- Access Control and Privilege Management — WOAS Technology Pvt. Ltd.'s internal data access processes and policies are designed to deny unauthorised account access. WOAS Technology Pvt. Ltd. designs its systems to (i) only allow authorised persons to access data they are authorised to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorisation during Processing, use and after recording. The systems are designed to detect any inappropriate access. WOAS Technology Pvt. Ltd. employs a centralised access management system to control personnel access to production servers, and only provides access to a limited number of authorised personnel.
1.5 Data Center and Network Security
- Data Centers
- Infrastructure — WOAS Technology Pvt. Ltd. uses Tier 4 AWS data centers.
- Resilience — Host availability zones are enabled on AWS, and WOAS Technology Pvt. Ltd. conducts business continuity testing on regular basis to ensure ongoing resilience.
- Server Operating Systems — WOAS Technology Pvt. Ltd. servers are customised for the application environment for which the servers will be performing for the security of the WOAS Technology Pvt. Ltd. systems.
- Disaster Recovery — WOAS Technology Pvt. Ltd. replicates data over multiple systems to help to protect against accidental destruction or loss. WOAS Technology Pvt. Ltd. has designed and regularly plans and tests its disaster recovery programs.
- Security Logs — WOAS Technology Pvt. Ltd. systems supporting service offerings log information to a centralised logging service to permit security reviews and analysis.
- Vulnerability Management — WOAS Technology Pvt. Ltd. has a vulnerability assessment and remediation program in place to identify and address vulnerabilities in the systems and software supporting the components of services offering.
1.6 Networks and Transmission
- Data Transmission — Transmissions on production environment are transmitted via internet standard protocols.
- External Attack Surface — AWS Security Group rules are configured to ensure firewall is in place for Production environment on AWS.
- Incident Response — WOAS Technology Pvt. Ltd. maintains incident management policies and procedures, including detailed security incident escalation procedures. WOAS Technology Pvt. Ltd. monitors a variety of communication channels for security incidents, and WOAS Technology Pvt. Ltd.'s security personnel will react promptly to known incidents.
- Encryption Technologies — WOAS Technology Pvt. Ltd. makes HTTPS encryption (also referred to as SSL or TLS) available for data in transit.
1.7 Data Storage, Isolation, Authentication, and Destruction
WOAS Technology Pvt. Ltd. stores data in a multi-tenant environment on AWS servers. Data is replicated between multiple data centers for redundancy and consistency. WOAS Technology Pvt. Ltd. logically isolates the data of different customers. A central authentication system is used across all production operations to increase uniform security of data. Authentication credentials are stored in encrypted form using salted hashes. Customer data is securely destroyed at the end of subscription term and as further specified in the Agreement.
Annex III — WOAS Technology Pvt. Ltd.'s Sub-processors
The Customer authorises WOAS Technology Pvt. Ltd. to use the Sub-processors listed below for the Processing of Customer Personal Data:
| Name of Sub-processor |
Description of Processing |
Location of Sub-processor |
| Amazon Web Services | Hosting infrastructure, including the application and data layer | USA |
| Google Workspace | Email services | USA |
| SendGrid | Transactional email service | USA |
| Postmark | Transactional email service | USA |
| LinkedIn | Customer communication platform | USA |
| HubSpot | CRM / marketing automation | USA |
| Apollo | Sales engagement platform | USA |
| JotForm | Communication platform | USA |
| Zoho | Customer ticketing system | India |
| Slack | Internal communication tool | USA |
| WAATI | Cloud phone system | India |
| HotJar | Web analytics / session recording | Global |
| BotPenguin | Chatbot / messaging platform | India |
| Bit.aero | Job portal | India |
| Resend | Email API service | Global |
| SalesOne LLC | Sales automation | Global |
| Attention | Streamline Collaboration and project management | UK |
| Anthropic | AI assistant | UK |
WOAS Technology Pvt. Ltd. will notify the Customer of any intended changes to this list of Sub-processors in accordance with Section 4.4 of this Addendum.
Version 2026.05 · Last updated: May 18, 2026
For questions about this DPA, contact
privacy@wooqer.com.